ExpressVPN Cannot Hand over Logs to Turkish police because it has None

Turkish authorities have seized a VPN server run by ExpressVPN, only to find that the server contained no logs.

The seizure was part of an investigation into the 2016 assassination of Russian Ambassador to Turkey, Andrei Karlov. The assassination was carried out by police officer Mevlüt Mert Altıntaş, whom the Turkish government accuses of having links with US-based preacher Fethullah Gülen.

At around the time of the assassination, person or persons unknown logged into Altıntaş’ Gmail and Facebook accounts in order to delete conversations relating to the crime. Turkish authorities are understandably keen to trace whoever was responsible for this. They have hit a dead end, however, because the perpetrator used a VPN to hide his or her real IP address.

A VPN will hide your real IP address

The authorities were therefore only able to see that the perpetrator had logged into Facebook and Gmail via a VPN server operated by ExpressVPN. In order to find out more information, Turkish police raided the data center that housed the server and seized it.

True to ExpressVPN’s promises, however, the authorities found no logs stored on it that could be used to identify the perpetrator. They then asked ExpressVPN for assistance. As a spokesperson for ExpressVPN explained to us:

“The server seizure occurred before the Turkish authorities even contacted us. They contacted us to determine if we possessed the logs which they were unable to find on the server itself... which of course we did not.”

As clearly outlined in its privacy policy, ExpressVPN keeps no logs that could be used to identify what its users do online:

““We never keep traffic logs, and we also don’t keep any logs that might enable someone to match an IP and timestamp back to a user. We work entirely on the basis of shared IPs, meaning that a single IP does not track back to an individual user.”

ExpressVPN has released a statement confirming that it was unable to assist the investigation.

“As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.”

It should be noted that Facebook does not actually delete conversations. You can hide them from yourself, but they are still stored by Facebook. The same is also probably true of Google and deleted Gmail messages.

It is therefore unclear whether Facebook and Google have refused to help the Turkish authorities, or if the authorities have obtained the conversations and are simply looking for whoever tried to delete them.

ExpressVPN is true to its word

VPNs are useful for a variety of things, but one of their most important uses is to provide privacy. Keeping logs of what users get up to online is a threat to customers’ privacy, so most good VPNs promise not to keep any logs that can comprise this privacy.

How can we know that VPNs keep these promises? Well – cases such this clearly prove that many do. ExpressVPN is to be warmly commended for doing exactly what it says it does – protecting users’ privacy by keeping no logs that can be used to identify what they get up to online.

Note that ExpressVPN does keep some anonymous usage statistics, but with no timestamp or IP logs, these present no privacy threat to its users’ privacy. ExpressVPN is incorporated in the British Virgin Islands (BVI) and says that it will only respond to a legally binding court order issued by a BVI court.

“We would only disclose information about one of our users if compelled to do so by a legally valid court order issued from the BVI. However, the fact that we lease servers from data centers in many countries around the world means that we have nexus in other jurisdictions. When authorities in such jurisdictions contact us to inquire as to which ExpressVPN user had connected to a particular IP address or was responsible for certain network activity, we tell them that we lack the knowledge to answer such questions, as we do not possess connection logs or activity logs.”

Even where it somehow compelled to hand over logs, however (it didn’t), it would not have been able to hand over something it does not have.

The dangers of VPN servers in multiple countries

ExpressVPN has used to the incident to highlight the dangers inherent in leasing VPN servers from data centres where they can be seized:

“VPN providers are based in jurisdictions around the world, some worse than others. But when it comes to server seizures, it doesn't matter where the VPN company is based; every provider is equally at risk. VPN users should be conscious of choosing a reputable provider that invests in protecting the privacy and anonymity of its customers. That includes ensuring that no piece of personally-identifiable information ever hits a disk.”

In order to ensure the integrity of users’ data in future, ExpressVPN no longer operates physical servers in Turkey that can be raided. It instead offers virtual servers that provide a Turkish IP address, but are in reality based in the Netherlands.

“At ExpressVPN we've put a great deal of effort into not only protecting users from leaks, but also into protecting customers' privacy in the worst case scenarios, such as when servers are physically seized or otherwise compromised by government actors.”

The value of privacy

Now, some may object that this case proves the worst accusations thrown at VPNs - that they are tools used by criminals to hide their nefarious activities. But this is just the point – they are tools, and darned useful ones at that. But just like all tools, they can used to bad purpose. As ExpressVPN notes:

“The assassination of Ambassador Andrey Karlov was a tragic crime. We absolutely do not condone any attempts to interfere with the investigation into the incident. ExpressVPN’s Terms of Service require customers to agree to not use ExpressVPN for anything other than lawful purposes.”

Privacy, however, is a fundamental human right. It gives us space to discuss ideas and formulate our own opinions on things without the fear of governments looking over our shoulders.

As George Orwell understood only too well, there is a reason why every repressive government since the beginning of civilization has tried to invade its citizens’ privacy. Privacy underpins the notion of freedom,

This makes the fact the ubiquitous blanket government’s surveillance into almost every aspect our lives is fast becoming the norm a truly terrifying prospect. And when it’s not governments, it is commercial entities invading your privacy in order to sell you stuff.

We need tools like VPNs to preserve our freedom in the face of mass surveillance. That they can (and are) occasionally misused is in the nature of any tool, but to focus on this is to play into the hands of those who would oppress us.

The search goes on

Turkish police want to access an iPhone belonging to Altıntaş but have also had little luck in this direction. All new iPhones are end-to-end encrypted, so Apple had to inform the Turkish authorities that it was unable to provide assistance.

Attempts to hire a private company to break into the phone instead have foundered in the face of high costs with no guaranteed that the attempt would be successful.

The prosecution is now hoping that an examination of live footage taken by state broadcaster TRT from the scene at the time of the assassination will provide additional clues. A Hurriyet Daily News report states 33 suspects have testified in relation to the shooting and four have been placed under arrest.

Conclusion

It is in many ways unfortunate that the privacy claims made by VPN providers are only really put to the test when someone abuses their service. Nevertheless, this case proves that ExpressVPN can be trusted to look after your privacy.

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.